Use a sniffer to ensure stable network operation

Network, system management, or security technicians always encounter one or more problems during network management and maintenance. For example, why does the network transmission performance suddenly decrease? Why can't I open the webpage, but QQ can be launched? Why are some hosts suddenly disconnected? Such network problems need to be solved quickly and effectively, so as to minimize the impact of network problems on normal business of enterprises. Therefore, we need a tool to help us quickly and effectively identify the cause of these problems.

Network sniffer is such a network tool. By analyzing all network data packets in or out of a LAN, you can quickly find the cause of various network problems, therefore, it is favored by network administrators and security technicians.

However, we should also know that the vswitch uses the MAC address table to decide which port to forward data packets. In principle, the network sniffer is physically connected to the switch port, and then the network interface card of the sniffer is set to the mixed mode. The packets in and out of the network sniffer can only be captured. That is to say, in the network environment built by the switch, the network sniffer cannot analyze packets from other hosts or the entire LAN without using a special method. However, if we want to use network sniffer to solve network problems in such a network environment, you must consider how to connect the network sniffer to the target location so that the network sniffer can capture the network traffic of a host or the entire network segment.

For the time being, the network sniffer is used in the network environment built by the vswitch, you can use the port aggregation function of the network management switch, access the integrator or Cable TAP junction box, and select the network sniffing software with special functions. These three feasible methods are used for different vswitch application environments respectively. This article will focus on the current mainstream vswitch network environments, to describe the specific applications of the three access methods.

1. Achieve the goal through the Network Management Switch Port Aggregation Function

Currently, some network-managed switches generally have a function called port spanning, which has a port that can be used to implement this function. When using the port mirroring function of the vswitch, We can mirror the traffic on other ports of the vswitch to this special port. In this way, as long as the network sniffer is connected to this port, and then the network interface card of the sniffer is set to the mixed mode, all packets forwarded by the switch can be sniffed.

To use the port aggregation function of a vswitch, you must set the vswitch before using it. The setting method must be based on the configuration functions available for the vswitch. Some vswitches can be implemented through the terminal mode, or the port aggregation function of the vswitch can be set more intuitively through the WEB mode, you can also set it through remote logon. To ensure vswitch security, it is best to use the terminal management mode and Local WEB Management Mode of local logon. Figure 1.1 shows the topology of network sniffer access through the port aggregation function.

 

Figure 1.1 topology of network sniffer connected through port Aggregation

Currently, some small and medium-sized enterprises only use non-Network-managed switches to build local networks because of their small network size or to save IT costs. For non-Network-managed switches, we cannot use the port aggregation function to access the network sniffer. So what methods should we use for the network environment built by such vswitches to find out the number of network streams in the network, or is it only intended to sniff the network traffic in or out of a workstation?

Currently, you can use the following two methods in such a vswitch network environment:

The first method is to connect a small HUB on the vswitch and then enable the sniffing

And all the hosts that have been sniffed are connected to this hub. In this way, the network to be sniffed becomes a shared Ethernet. All data packets in this re-built shared LAN will be broadcast to all ports in the hub. In this way, you only need to place the Ethernet NIC of the network sniffer in the hybrid mode to sniff all the packets transmitted in the shared LAN.

However, this method has some limitations. On the one hand, connecting a key network segment to the Hub, because all workstations share the bandwidth of the hub, too many workstations will affect their network performance. On the other hand, if network sniffer is not taken into account when building a LAN, it is impossible to connect to the hub at the beginning. Therefore, when a hub is connected to a vswitch during LAN operation, the network has to be interrupted, and when it is exited from the vswitch, the network will also be interrupted once. Therefore, this network sniffer method can be used only when a serious network problem occurs and the network sniffer is used for analysis and solution. Figure 2.1 is the topology of a network sniffer connected to a hub.

 

 

Figure 2.1 topology of network sniffer connected through a hub

The second method is to connect a Cable TAP junction box on the vswitch and then enable network sniffing.

And all workstation or servers to be managed are connected to the Cable TAP junction box, because it is also a shared network connection device, therefore, you can sniff all the packets transmitted in the entire LAN built using it.

However, the Cable TAP junction box is independently sent and received, so its bandwidth can be similar to that of a switch, however, two network cables are used to connect their receiving and sending interfaces to the independent ports of the vswitch. Cable TAP can be used as a fixed device to connect permanently to the network structure without affecting the network transmission performance, therefore, you can add it to the network structure at the beginning so that it can be used in subsequent network management processes.

Currently, many network manufacturers have produced Cable TAP junction boxes for use with network protocol analysis devices, this allows network analysis devices to monitor and analyze all network traffic in the entire vswitch network environment. For example, Fluke networks produces online TAP connection devices. Figure 2.2 shows the topology of a network sniffer connected to the Cable TAP junction box.

 

 

Figure 2.2 topology of network sniffer connected through Cable TAP junction box

The Cable TAP junction box solves the problem of network transmission performance when using a hub, but it is not flexible. When solving a network problem that allows interruption of normal business of an enterprise, you can use a hub to perform network sniffing at any location where network traffic needs to be analyzed. Then, after resolving the network problem, restore the original network structure.
In a non-Network-managed switch network environment, the network sniffer cannot be used to interrupt Enterprise Services and change the original network structure, or even the hub can be used, however, there is no such network device in use. At this point, how can we connect the network sniffer to the target switch network to sniff all the network traffic in and out of a workstation or the entire lan? In this case, we can select some network sniffer with special functions to complete the task.

Currently, some network sniffer software can sniff data packets in the vswitch network environment, such as DSniff and Ettercap. With this network sniffer software, you can obtain all data packets from a LAN that are in and out of a host without special devices.

In fact, these network sniffing software that can be used in the vswitch network environment all use some network attack methods to obtain data packets in the exchange network environment. The following are the possible attack methods used by these software:

1. Switch Flooding)

The vswitch maintains a MAC address table to correctly forward data packets to the specified port. When a large number of fake mac addresses are used to fill the address space of a switch, the switch broadcasts all the extra communication to all the computers in the LAN like a common HUB. In this way, when the MAC address table of the switch is filled with useless MAC addresses through the network sniffer, the switch can forward all packets to the entire LAN in broadcast mode. In this case, you only need to set the Ethernet NIC of the network sniffer to the hybrid mode to sniff all data packets in the network environment of the entire switch. The macof in the Dsniff package is used to implement vswitch MAC Address Table overflow attacks.

Currently, this problem does not exist in many large switches. These exchanges use a method to restrict the MAC address tables to be filled up and use a method, when its MAC Address Table capacity reaches a certain level, the broadcast communication function is disabled or some ports are disabled.

2. ARP redirection (ARP Redirects)

When one computer needs the MAC address of another computer, it sends an ARP Address request to the other computer. Each computer maintains an ARP table containing the MAC addresses of all computers that have been connected to it. However, these ARP tables will be refreshed once in a certain period of time and some expired ARP entries will be deleted. ARP is also broadcast in the vswitch environment because the ARP packet does not have the MAC address of the specific recipient. When a workstation in the lan sends an ARP request, all computers in the same network segment can receive the request. Then, each computer searches for its own ARP Address Table Based on the IP address provided in ARP, if the corresponding IP address is found, a confirmed ARP protocol is sent to the host, which contains its MAC address.

Therefore, the network sniffer can use this feature of the switch and use the ARP Protocol to spoof the switch to sniff a workstation or all network traffic. For example, the network sniffer sends a customized ARP packet and applies for it as a router with a network segment. When all computers receive this ARP packet, they update their ARP table, in this way, all computers send data packets to this sniffer. In this way, in order not to affect normal network services, all network traffic will be forwarded again through the network sniffer, which requires the network performance of the network sniffer to ensure positive Packet